Benjamin Beale

blockchain engineer

I am a blockchain engineer with experience across the development cycle. My areas of expertise include security, quality engineering, development, test tooling, and test automation. I'm also a Gitcoin KERNEL Fellow.



Quality Engineering

I have a range of quality engineering experience which includes functional testing, security testing, test planning, automated test development, along with the integration of workflow and test tooling for the team -- some of which from third party vendors, with another being a project of my own.

I am knowledgable of current QE processes. I am equally, if not more comfortable with opening up a code editor alongside of a test session to obtain insight that can only be gained by looking under the hood.

Perhaps more importantly, I am aware of the impact that a well-designed and thorough quality engineering program can have on the number of bugs or defects. Even those that are related to security.

Contact me to go over your project's quality engineering needs.

Official U.S. List of Certified & Credentialed Software Testers™ profile


Blockchain

Blockchain applications (dApps) need to be more thoroughly tested than comparable web2 apps.

While all software should be tested to minimize risks and maximize user experience, due to the immutability of public blockchains, a dApp or smart contract deployed to mainnet with an overlooked vulnerability will forever remain in the wild, putting users and their funds at risk. This is extremely dangerous, given the large sums of crypto assets at stake across many projects.


AUDIT

  • Contract Security Review
  • Off-Chain Component Review
  • Mitigation Strategies
Secure*

QA

  • Functional Testing
  • Performance Testing
  • Test Automation
Assure

DEV

  • Smart Contract Development
  • Off-Chain Component Development
  • Documentation
Build

I bring to the table a unique mix of development, QA, application security,--> and blockchain skills, which grant me an edge over auditors from other tech backgrounds and developers from non-blockchain or non-security backgrounds.

*If your project is
  • early stage
  • not logistically prepared for a full audit
  • already covered by a trusted audit partner

Feel free to contact me anyway, I would be happy to go over how I might be able to help improve your security posture and maximize the impact of any planned or upcoming audits.


Application Security

I am highly motivated by studying the ways in which software behavior can differ from what the end user might expect.

Many vulnerabilities can be uncovered using static and dynamic analysis techniques on either the underlying source code or binaries. My time reviewing bug bounty vulnerability submissions showed me that these vulnerabilities do not always present themselves in places that can be directly affected by users. Nevertheless, their potential to chain with other vulnerabilities necessitates their mitigation as well.

Among my vulnerability findings include reflected and stored XSS, SQL injections, and a particularly interesting multipart session vulnerability in a learning management system. To see more about my disclosures and mitigations, scroll down to the Projects section.

  • spree - Username enumeration.
  • useragent - Catastrophic backtracking leading to ReDoS.
  • mongo-parse - Fixed arbitrary code injection.
  • sheetjs - Fixed Regular Expression Denial of Service (ReDoS).
  • urlregex - Fixed Regular Expression Denial of Service (ReDoS).
  • safer-eval - Mitigation for arbitrary code execution / sandbox breakout.
  • fun-map - Fixed prototype pollution.
  • bson-objectid - Fixed insufficient input validation.
  • objutil - Fixed prototype pollution.

My appearance on the huntr.dev appsec podcast



Open-Source Intelligence (OSINT)

TraceLabs is a nonprofit organization which does incredible work in the collection and analysis of open source intelligence to aid in missing person searches.

Be sure to visit their events page and join their Slack community to get involved.



Get a hold of me

Feel free to send me an email, connect with me on LinkedIn, or view my GitHub profile.


Projects

  • Mobie - Universal payments and rewards ecosystem.
  • DuBois Gold - DuBois Gold Market Solidity contracts.
  • Dock.io - High-performance distributed ledger technology for Verifiable Credentials.
  • Gitcoin LearningCurve - Smart contracts for free and continuous online learning environments.
  • GANSEC - A GAN-based vulnerability scanner.
  • ARPcanary - A simple ARP spoof detector that I made while playing around with Scapy.
  • Malware Research - A sample of miscellaneous malware written for academic/research purposes.
  • Test Automation Samples - Examples of past automated tests I've written in PHP and Python with identifying context stripped out.
  • GitTreasures - An integration for QE teams connecting Git/GitLab, Jira, Trello and TestRail.
  • TestRailYak - A Python wrapper for interacting with the TestRail API.
  • u-nectix - Algorithmic trading bot for stocks, forex, and cryptocurrencies. Written in Python.
  • py-trade-signal - A library for algorithmic or mechanical discretionary traders to determine buy/sell signals based on multiple technical indicators.
  • tradeSnake - A much earlier algorithmic trading bot for cryptocurrencies that used an exchange no longer operating in the US. Also written in Python.
  • Battleship - A Battleship-type game from a game development class.
  • taxonomizer - A small library for working with text from taxonomic classification. Originally written using Levenshtein based string matching algorithms, renewed interest in this project by way of another project is prompting heavy upgrades. The current version under development makes use of natural language processing techniques.
  • COMING SOON turbid - An auction site bidding bot that algorithmically looks for arbitrage opportunities.
  • NoSQLMap - Automated NoSQL database enumeration and web application exploitation tool.
  • alpaca-trade-api-python - Python client for Alpaca's trade API.
  • alpaca-trade-api-js - NodeJS client for Alpaca's trade API.
  • Reconnoitre - A security tool for multithreaded information gathering and service enumeration whilst building directory structures to store results, along with writing out recommendations for further testing.

Resources

A non-exhaustive collection of tools and projects I have found helpful.

Zaproxy

A powerful open-source web application vulnerability scanner.

Nmap

A Popular open source network scanning tool, well-known by security researchers.

JetBrains

Advanced IDEs for devs and other software professionals.

Visual Studio Code

A powerful and customizable open source IDE.

HardHat

Robust and fully featured Ethereum development environment.

Web3JS

JavaScript API for interacting with the Ethereum network.

EthersJS

Complete JavaScript Ethereum library. A solid alternative to Web3JS.